CVE-2026-21721

HIGH

Grafana Dashboard Permissions API - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-21721. PoCs published by XiaomingX, Leonideath.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2026-21721, which targets a privilege escalation vulnerability in Grafana. The exploit authenticates with valid credentials, reads dashboard permissions, and escalates the user's permissions to Admin (permission=4) on all dashboards.

Description

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

Exploits (2)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-21721

This repository contains a functional Python exploit for CVE-2026-21721, which targets a privilege escalation vulnerability in Grafana. The exploit authenticates with valid credentials, reads dashboard permissions, and escalates the user's permissions to Admin (permission=4) on all dashboards.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Grafana 12.1.1
Auth required
Prerequisites: Valid Grafana account with Editor privileges
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Leonideath · poc
https://github.com/Leonideath/Exploit-LPE-CVE-2026-21721

This exploit PoC demonstrates a privilege escalation vulnerability in Grafana (CVE-2026-21721) by escalating an Editor account to Admin permissions on all dashboards. It authenticates, reads current permissions, and applies Admin (permission=4) to the attacker's user ID.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Grafana 12.1.1
Auth required
Prerequisites: Valid Editor account credentials · Network access to the Grafana instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.1
EPSS 0.0039
EPSS Percentile 30.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-863
Status published
Products (17)
grafana/grafana 11.6.9
grafana/grafana 12.0.8
grafana/grafana 12.1.5
grafana/grafana 12.2.3
grafana/grafana 12.3.0
grafana/grafana 12.3.1
grafana/grafana 10.2.0 - 11.6.9
Grafana/grafana/grafana 10.2.0 - 11.6.9
Grafana/grafana/grafana 12.0.0 - 12.0.8
Grafana/grafana/grafana 12.1.0 - 12.1.5
... and 7 more
Published Jan 27, 2026
Tracked Since Feb 18, 2026